Business Continuity. Investment Adviser Association Compliance Conference Arlington, Virginia March 6-7, 2014

Transcription

1 Business Continuity Investment Adviser Association Compliance Conference Arlington, Virginia March 6-7, 2014 Jennifer L. Klass Morgan, Lewis & Bockius LLP 101 Park Avenue New York, New York

2 I. Introduction Business Continuity Investment Adviser Association Compliance Conference March 6-7, 2014 Jennifer L. Klass Christine M. Lombardo A. Business continuity refers to those processes and procedures an investment adviser puts into place to ensure that its essential functions can continue during an emergency or significant business disruption. Disaster recovery refers to the process of re-establishing those mission-critical services after a significant business disruption. Although the concepts of business continuity and disaster recovery are not new, they take on more importance and regulatory focus after significant events that cause wide-scale market disruptions. 1. After the terrorist attacks of September 11, 2001 ( 9/11 ), for example, there was renewed focus on business continuity, particularly given that the terrorist attacks resulted in a wide-scale disaster in our most highly concentrated financial services area. Market based and geographic concentrations significantly exacerbated disruptions. Because of the critical interdependencies, problems at key New York City infrastructure providers disrupted operations at distant institutions. Unanticipated financial system vulnerabilities were exposed as a consequence of this unprecedented disaster. Some back-up facilities were too close to primary facilities and both were disrupted or inaccessible. Other facilities were inadequate, had multiple occupants, or lacked critical equipment. Single points of failure in perceived diverse routing resulted in failed back-up communications systems The more recent events of Hurricane Sandy, which caused significant damage to the northeast coast of the United States on October 28 and 29, 2012, have again prompted renewed regulatory interest in business continuity plans. As a result, the Commodity Futures Trading Commission s Division of Swap Dealers and Intermediary Oversight ( CFTC ), the Financial Industry Regulatory Authority ( FINRA ) and the Securities and Exchange Commission s Office of Compliance Inspections and Examinations ( OCIE ) conducted a review of financial firms and on August 16, 2013, issued a joint report ( Joint Report ) discussing their observations from their review and considerations for firms in adopting and/or enhancing their business Jennifer L. Klass is a partner and Christine M. Lombardo is an associate in the Investment Management and Securities Industry practice group of Morgan Lewis resident in New York. Copyright 2014 Morgan, Lewis & Bockius LLP. All rights reserved. This outline provides general information on the subject matter discussed and should not be relied upon for legal advice on any matter. 1 Speech by SEC Staff: Disaster Recovery and Business Continuity Planning, Mary Ann Gadziala (May 1, 2003) available at 2

3 continuity and disaster recovery plans. 2 The Joint Report was followed by a SEC examination of business continuity plans of selected investment advisers located in the geographic region affected by Hurricane Sandy. The results of this OCIE sweep were discussed in a Securities and Exchange Commission s ( SEC ) National Examination Program ( NEP ) Risk Alert published on August 27, 2013 (the Risk Alert ) 3. Notably, the issues and considerations identified in both the Joint Report and the NEP Risk Alert were largely consistent. II. Regulatory Requirements for Business Continuity A. Investment Adviser Considerations under the Investment Advisers Act 1. While as a technical matter, business continuity plans are not explicitly required under the Investment Advisers Act ( Advisers Act ), Advisers Act Rule 206(4)-7 requires investment advisers to adopt and implement written policies and procedures reasonably designed to prevent Advisers Act violations. In the adopting release for Rule 206(4)-7, the SEC noted that while the rule does not enumerate specific elements that investment advisers should include in their compliance policies and procedures, there are several areas that the SEC staff would expect an adviser's policies and procedures to address at a minimum. Business continuity plans were identified as one of the items the SEC staff would expect advisers to include in their compliance programs. In including business continuity plans, the SEC staff explained that it believed an adviser s fiduciary obligation to its clients includes taking steps to protect the clients interest from risks resulting from the adviser s inability to provide adviser services after, for example, a natural disaster Further, investment advisers are subject to recordkeeping obligations under Advisers Act Rule Rule 204-2(g) permits advisers to maintain records in electronic storage, however such electronic storage media must be subject to procedures designed to maintain and preserve the records, so as to reasonably safeguard them from loss, alteration or destruction. 5 Given that most firms maintain records via electronic storage media, this recordkeeping rule implicitly requires business continuity procedures, as well. B. FINRA Rule Unlike investment advisers, broker-dealers are explicitly required by rule to maintain business continuity plans. As noted above, in the wake of 9/11, there was a renewed focus on business continuity and the ability of businesses, especially financial firms, to continue operations during times of crisis. Both the National Association of Securities Dealers ( NASD ) and NYSE Regulation Inc. ( NYSE ) (now collectively, FINRA) proposed and adopted rulemaking in the years 2 Business Continuity Planning, Joint report issued by the Commodity Futures Trading Commission, U.S. Securities and Exchange Commission and the Financial Industry Regulatory Authority (August 16, 2003). 3 National Exam Program Risk Alert by the Office of Compliance Inspections and Examinations, Volume II Issue 3 (Aug. 27, 2013). 4 Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Rel. No (Dec. 17, 2003). 5 Advisers Act Rule 204-2(g)(3)(i). 3

4 following 9/11 that require member firms to adopt written business continuity policies. 6 As with all NASD, NYSE or FINRA rules, the SEC reviewed and approved the business continuity rules. The NASD and NYSE business continuity rules have now been consolidated into FINRA Rule Under the terms of FINRA Rule 4370, broker-dealers must establish procedures relating to an emergency or significant business disruption. Such procedures must at a minimum address: a. data back-up and recovery (hard copy and electronic); b. all mission critical systems; c. financial and operational assessments; d. alternate communications between the firm and its customers; e. alternate communications between the firm and its employees; f. alternate physical location of employees; g. critical business constituent, bank and counter-party impact; h. regulatory reporting; and i. communications with regulators. In addition, a firm s business continuity plan must address how the firm will assure its customers prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business. Every firm must also disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the firm plans to respond to events of varying scope. 3. While FINRA Rule 4370 is not applicable to investment advisers, the requirements of the rule are a helpful tool that advisers can use in building a business continuity program. Advisers should use the required elements of the Rule as an instructive guide in creating an effective program. FINRA has also issued a sample business continuity plan (attached to this outline) which is a helpful resource that firms can use in creating and reviewing their policies. III. Post 9/11 Focus on Business Continuity A. As mentioned above, in response to the widespread disruption in business operations affecting financial firms after 9/11, regulators took a closer look at business continuity planning and how firms could enhance their disaster recovery plans to better prepare for a 6 NASD Rules 3510 and 3520; NYSE Rule 446; See NYSE Rulemaking re: Business Continuity and Contingency Planning, SEC Release No (Sep. 17, 2003). NASD Rulemaking re: Business Continuity and Contingency Planning, SEC Release No (Sep. 17, 2003). 7 SEC Release No (April 30, 2010). 4

5 widespread disruption. In a 2003 speech on disaster recovery and business continuity planning, Mary Ann Gadziala, then Associate Director of the SEC, noted that while business continuity planning was not a new concept in the financial services industry, until 9/11 such planning was focused on localized disasters or failures, such as office building fires or local blackouts. It wasn t until 9/11 that widespread systemic failure became a reality that the regulators and the financial industry needed to address. 8 B. Ms. Gadziala also discussed a paper issued by the SEC, the Federal Reserve Board and the Office of the Comptroller of the Currency ( OCC ) entitled Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System 9 (the Interagency Paper ). In the Interagency Paper the agencies identified three business continuity objectives: 1. Rapid recovery and timely resumption of critical operations following a widescale disruption; 2. Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operation location; and 3. A high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. C. The Interagency Paper also identified four broad sound practices for core clearing and settlement organizations and firms that play a significant role in critical financial markets. The agencies noted that these sound practices build upon long-standing principles of business continuity planning and reflect actions identified by industry members that will strengthen the overall resilience of the U.S. financial system in the event of a wide-scale disruption. The agencies recognized that achieving the sound practices would take firms time and that the agencies did not want to prescribe specific methods of implementation, but instead identified these sound practices so that firms could have flexibility in implementation based on their own specific risk profile. The sound practices include: 1. Identification of clearing and settlement activities in each critical market in which a firm is a core clearing and settlement organization or plays a significant role. 2. Determination of appropriate recovery and resumption objectives for clearing and settlement activities in support of critical markets; 3. Maintenance of sufficient geographic dispersion of resources to meet recovery and resumption objectives; and 4. Routine use of testing and resumption arrangements. 8 Speech by SEC Staff: Disaster Recovery and Business Continuity Planning, Mary Ann Gadziala (May 1, 2003) available at 9 Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, SEC Release No (April 7, 2003). 5

6 D. Although the Interagency Paper was not specifically geared towards investment advisers and the review and issued guidance were in response to a very specific set of circumstances, the applicability of the guidance, specifically the principals underlying the guidance, to financial institutions continues to exist today. This is apparent when comparing the 2003 guidance to the recent guidance issued by regulators in the wake of Hurricane Sandy. Although the guidance has evolved, the underlying principals remain. IV. Joint Report A. The Joint Report, which was issued on August 16, 2013 by the CFTC, FINRA and OCIE (collectively, the Regulators ), outlines best practices for financial firms to consider when designing their business continuity plans. In the Joint Report, the Regulators encouraged firms to review their business continuity plans and consider implementing several best practices, which included, among others, the following: 1. Widespread Disruption Considerations The Regulators urged firms to consider widespread lack of telecommunications, transportation, electricity, office space, fuel and water. In doing so, firms were encouraged to consider their employees ability to work remotely during a crisis, as well as alternatives to reliance on telework, given that telecommuting relies heavily on telephone and internet services, which may not be fully functional during times of crisis. 2. Alternative Locations Considerations The Regulators urged firms to consider geographically diverse alternative or back-up locations, taking into account accessibility, generator capacity, and appropriate resources and staffing for the continuation of the business. The Regulators also suggested that firms consider making pre-arrangements for hotel or office space in alternative locations. 3. Vendor Relationship The Regulators urged firms to consider their critical vendor relationships and whether those critical vendors have adequate business continuity plans of their own. 4. Telecommunications Services and Technology Considerations The Regulators urged firms to consider contracting with multiple telecommunication carriers and to evaluate how such providers contingency plans may affect the firm s ability to operate in a crisis. In addition, firms were encouraged to consider enhancing the firm s telecommunications infrastructure to ensure staff remains fully functional during a time of crisis. 5. Communications Plans The Regulators urged firms to consider plans for providing customers and counterparties with information about the firm s operational status and general contact information during a crisis, including through website disclosure. The Regulators also urged firms to consider establishing relationships with multiple broker-dealers to facilitate alternative market entry points. Finally, the Regulators encouraged firms to establish a centralized process for accounting for all staff and communicating with staff, exchanges, regulators, emergency officials and other firms to ensure consistency of information flow during a crisis. 6. Regulatory Compliance Considerations The Regulators encouraged firms to consider time-sensitive regulatory requirements and to update business continuity plans regularly to include new regulatory and SRO requirements. 6

7 7. Review and Testing The Regulators urged firms to conduct full business continuity tests at least annually, including through use of stress testing, and conducting regular training to familiarize all personnel with the business continuity plans and their respective roles. B. As with the guidance and rulemaking issued in the wake of 9/11, the Joint Report reflects similar themes and identified best practices largely aligned with FINRA Rule Further, shortly following the issuance of the Joint Report, the SEC issued its own Risk Alert specifically geared towards investment advisers which included several considerations for advisers. V. NEP Risk Alert A. On August 27, 2013, the NEP issued a Risk Alert outlining observations and lessons learned during its review of the business continuity plans of approximately 40 investment advisers located in areas impacted by Hurricane Sandy (the Review ). (A copy of the Risk Alert is attached to this outline.) In the Risk Alert the NEP identified general observations and notable practices among the advisers it reviewed, and perhaps more significantly, identified notable weaknesses and possible future considerations for advisers to consider in adopting and implementing business continuity plans. B. Notable Weaknesses 1. Widespread Disruption Considerations The NEP identified some advisers with business continuity plans that did not adequately address and anticipate widespread events, such as where key personnel (such as portfolio managers) were unable to work remotely. These advisers generally experienced more interruptions in their key business operations and had inconsistent communication with clients and employees. 2. Alternative Locations Considerations The NEP observed some advisers that did not have geographically diverse office locations or back-up facilities, despite recognizing that geographic diversification would be appropriate. This was a particular issue for smaller advisers. 3. Vendor Relationship Considerations The NEP noted advisers failure to evaluate the business continuity plans of their service providers, thereby not ensuring that the service providers had controls that related to the adviser s ability to execute their own business continuity plans. The NEP also identified instances where advisers did not maintain updated lists of vendors and related contact information. 4. Telecommunication Services and Technology Considerations Telecommunication services and technology issues were a big factor in the week following Hurricane Sandy. In the Review, the NEP identified advisers that did not engage service providers to ensure back-up server function, but instead relied solely on self-maintenance. Such advisers experienced more interruptions in their key business operations. 5. Communications Plans Considerations With respect to communication planning, the NEP found that some advisers lacked adequate plans regarding how to contact and deploy employees, and inconsistently maintained communications with clients and employees. In some instances, advisers had a plan but did not identify which personnel should execute and implement the various parts of the plan. 7

8 6. Review and Testing Considerations Finally, the NEP found that some advisers inadequately tested their business continuity plans relative to their advisory businesses. Also, in certain instances advisers opted not to conduct certain critical tests because vendors charged for such tests. The NEP noted an example whereby advisers opted not to test their cloud-based disaster recovery solution because of the extra cost and therefore did not secure contracts for backup generators and were unaware that there was insufficient capacity to handle all customers. C. Future Considerations 1. Among the future considerations identified by the NEP included developing policies and procedures designed to address and anticipate widespread events, including interruptions in business operations and loss of key personnel for extended periods. 2. Furthering this point, the NEP suggested that advisers evaluate how to operate when faced with electrical failure and the loss of other utility services such as cable, phone and internet service. 3. Advisers should also consider having geographically diverse offices where possible, or maintaining back-up facilities on a power grid separate from the adviser s primary facility. 4. With respect to key vendors, the NEP encouraged advisers to evaluate the information technology infrastructure of service providers and potentially have alternate providers available. This is particularly so where the infrastructure of key service providers is in the same geographic area as the adviser. It is also important to have alternate internet provides available or obtain guaranteed redundancy from internet providers. 5. Finally, the NEP encouraged advisers to test the operability of all critical systems under the BCP in various scenarios, to both identify critical weaknesses in the business continuity plans but also to familiarize personnel with using key systems while in the business continuity plan mode. D. In concluding the Risk Alert, the NEP stated that the Review following Hurricane Sandy provided insight into the implementation of investment adviser s business continuity plans and how effective such plans could be in an actual disaster. The NEP noted that the SEC has previously discussed the need for advisers to have business continuity plans in place and encouraged advisers to review their plans in light of the information contained in the Risk Alert. 8

9 By the Office of Compliance Inspections and Examinations 1 In this Alert: Topic: Staff observations after a review of certain advisers business continuity plans following Hurricane Sandy. Key Takeaways: Advisers should review their continuity plans in light of the staff s observations and consider revising their plans if they see ways to make them better. Volume II, Issue 3 August 27, 2013 SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year Hurricane Sandy caused significant and wide-ranging damage across the northeast coast of the United States on October 28 and October 29, 2012, which led to the closure of the equities and options markets on October 29 and October 30, The storm prompted the SEC s National Examination Program ( NEP ) to review the business continuity and disaster recovery plans ( BCPs ) of approximately 40 advisers in the impacted areas to assess their compliance with applicable laws, rules, and regulations relating to BCP plans. The NEP contacted advisers in the geographic region affected by Hurricane Sandy to gain an understanding of how the advisers were impacted by the events surrounding the storm; specific emphasis was given to firms implementation of their BCPs. The NEP discussed with these advisers the range and impact of anticipated disasters and contingencies given the firm s location and circumstances, and the impact of Hurricane Sandy on processing of securities transactions (order taking, entry, execution, allocation, clearance and settlement) and delivery of funds and securities, client relations, financial and regulatory obligations, and technology, among other topics. This Alert contains the NEP staff s observations and lessons learned from the BCP review. The NEP encourages firms to review their BCPs and consider implementing these lessons as appropriate to help improve responses to, and to reduce recovery time after, significant large scale events The views expressed herein are those of the staff of the Office of Compliance Inspections and Examinations, in coordination with other SEC staff, including in the Division of Enforcement s Asset Management Unit and the Division of Investment Management. The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice. In addition to the effective practices noted herein, advisers should also consider the best practices and lessons learned as described in the Joint Review of Business Continuity and Disaster Recovery of Firms by the Commission s National Examination Program, the Commodity Futures Trading Commission s Division of Swap Dealers and Intermediary Oversight and the Financial Industry Regulatory Authority on August 16, 2013, available at ( Joint Review on BCP ). 1

10 I. RELEVANT SECURITIES LAWS, RULES, and REGULATIONS Rule 206(4)-7 under the Advisers Act requires each investment adviser to adopt and implement written policies and procedures reasonably designed to prevent the adviser from violating the Advisers Act. 3 These policies and procedures should include BCPs because an adviser s fiduciary obligation to its clients includes taking steps to protect the clients interests from risks resulting from the adviser s inability to provide advisory services after, for example, a natural disaster. 4 Under Advisers Act Rule 204-2, advisers have responsibilities to maintain books and records including a requirement to maintain electronic storage media so as to reasonably safeguard them from loss, alteration, or destruction. 5 II. STAFF OBSERVATIONS The NEP staff describes below its observations from the BCP review, including the general BCP policies and practices of the advisers it examined. Observations also include notable practices of advisers that were able to perform critical business operations and maintain more consistent communications with clients and employees while operating under their BCPs, as well as BCP weaknesses of advisers that experienced more interruptions in their key business operations and inconsistently maintained communications with clients and employees. The staff also identifies areas that advisers may consider when reviewing their BCPs. A. Widespread Disruption Considerations 1. General Observations and Notable Practices Advisers generally adopted and maintained written BCPs. The degree of specificity of the advisers written BCPs varied; some had also developed specific BCPs for Hurricane Sandy just prior to the storm s arrival. Advisers also generally distributed their BCPs widely within their businesses and operations. In some cases, employees were required to sign that they have received the plan annually, along with the compliance manual and code of ethics CFR (4)-7, available at See Final Rule: Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Release No (December 17, 2003) ( Final Rule Release ), available on the SEC s website at In this release, the Commission discussed the need for advisers to establish a reasonable process for responding to emergencies, contingencies, and disasters, and that an adviser's contingency planning process should be appropriately scaled, and reasonable in light of the facts and circumstances surrounding the adviser's business operations and the commitments it has made to its clients. See Advisers Act Rule 204-2(g), available at

11 Some advisers BCPs addressed critical systems of the adviser and were tailored to fit the adviser s business operations. Some advisers BCPs considered continued facility and systems operations with widespread remote access by employees. Some advisers compliance personnel worked collaboratively with the advisers various business lines to develop the BCPs and sought to achieve redundancy in key services and operations. Some advisers required all business units to identify contingency scenarios that would affect operations and derive multiple solutions to help ensure the advisers could meet their fiduciary duty to clients. Some advisers formed special committees to plan, develop, test and, if necessary, execute the advisers BCP. The staff observed that these committees were typically comprised of business unit staff and senior management. 2. Weakness Noted Some advisers adopted BCPs that did not adequately address and anticipate widespread events. These advisers generally experienced more interruptions in their key business operations and inconsistent communications with clients and employees. For example, some advisers did not have adequate plans addressing situations where key personnel, such as portfolio managers, were unable to work from home or other remote locations. 3. Possible Future Considerations Advisers should enhance the design and implementation of their BCPs by developing policies and procedures to address and anticipate widespread events, including possible interruptions in key business operations and loss of key personnel for extended periods. B. Alternative Locations Considerations 1. General Observations and Notable Practices Advisers generally switched to back-up sites or systems, if needed, in advance of trouble rather than waiting for shutdown or imminent threat. Some advisers reported that the buildings where they usually conduct their business were closed for days. One reported its building was closed for several weeks. Some reported extended outages of power, phone systems, and internet service. 3

12 Some advisers had back-up facilities on a power grid separate from the adviser s primary facility. Some advisers maintained critical business functions in more than one location in order to reduce potential disruption of operations by regional events. For example, an adviser established a remote, back-up location with an unaffiliated adviser. More often, however, the advisers used employees homes, branch offices, data centers or hotels as alternate locations. Additionally, advisers had back-up generators at homes to ensure connectivity. 2. Weakness Noted Some advisers did not have geographically diverse office locations, even when they recognized that diversification would be appropriate. Many smaller advisers had fewer geographically dispersed staff. 3. Possible Future Considerations Advisers should evaluate how to operate when faced with the possibility of electrical failure and the loss of other utility services (e.g., cable, phone). Establishing a back-up site inland may reduce risk if the adviser s business is located on a coast. In addition, advisers may want to consider other sites farther away from the adviser s main office sites that are not affected by the same power and utility outages as the main office. Loss of internet connectivity was an issue for many of the advisers reviewed. C. Vendor Relationship Considerations 1. Notable Practices Some advisers required third party service providers to test their BCP annually and report results to the adviser. 2. Weakness Noted Some advisers did not evaluate the BCPs of their service providers. For example, some advisers did not acquire or critically review service providers Statement on Standards for Attestation Engagements No. 16 reports ( SSAE 16 reports ) 6 and BCPs. In doing so, the advisers did not ensure that the service providers plans incorporated key business 6 Information regarding SSAE 16 reports is available on the American Institute of CPA ( AICPA ) website at This website describes Service Organization Control ( SOC ) reports for service providers as reports prepared by independent Certified Public Accountants using the SSAE 16 professional standards. These reports are intended to meet the needs of the entities that use service organizations (user entities) in evaluating the effect of the controls at the service organization on the user entities financial statements. 4

13 continuity controls that related to the advisers ability to execute their own BCPs. In some cases, advisers reported that they did not keep an updated list of vendors and respective contacts at each entity. 3. Possible Future Considerations Advisers should consider reviewing the IT infrastructure of service providers as their infrastructure may be in the same geographic area in which the adviser is located. Advisers may wish to consider whether, based on risk, it is necessary to have multiple back-up servers. Advisers should evaluate how to operate when the adviser or a service provider s facilities are faced with the risk of weather-related events, including flooding. Disrupted operations at service providers can create unforeseen operational challenges. D. Telecommunications Services and Technology Considerations 1. General Observations and Notable Practices Advisers had generally implemented technology to allow employees to work from remote sites, which typically included from home. Some utilized offsite technology, such as Citrix and VPN, to accomplish this and others utilized internet-based access portals. Some advisers established and tested direct point-to-point network lines between their main offices and multiple back-up office sites. Some advisers maintained current portfolio data at multiple service providers and had tested the connectivity to the providers to ensure that the data was accessible from remote locations. Some advisers arranged to have key power systems tied to advisers generators so electricity and air conditioning would be available for the entire building (especially important in a multi-tenant building with no electricity back-up). Some advisers adequately maintained system capacity (physical and electronic) to accommodate staff who may be displaced and may need to work from home or an alternative location. Some advisers established and tested server internet connection via wireless cards for use if the primary connection was lost. Some advisers electronic equipment kept in ground level facilities was elevated to mitigate risk of damage in the event of flooding. Some advisers maintained uninterrupted battery power supply that kept power for essential operations running until the back-up generator turned on during power outages. 5

14 2. Weakness Noted Some advisers did not engage service providers to ensure that back-up servers functioned properly. Rather, the advisers relied solely on self-maintenance, which led to more interruptions in their key business operations. 3. Possible Future Considerations Advisers should consider having alternate internet providers available or obtain guaranteed redundancy from internet providers. If key suppliers are not diversifying their data/telecommunication connectivity, such lack of diversification is a risk in its own right. Advisers are encouraged to explore the appropriateness of keeping back-up files and systems in the adviser s primary office location. Many advisers stated that they are now exploring the use of cloud computing. E. Communications Plans Considerations 1. General Observations and Notable Practices Advisers generally communicated with employees before, during, and after the storm regarding such things as the status of the adviser s business, operations, and back-up locations. One firm reserved local hotel rooms for essential employees in anticipation of the storm. Some advisers regularly communicated the status of their operations with their clients. For example: Main telephone line provided a recorded message stating that offices were closed and provided clients with instructions for contacting the firm and employees who were working remotely. Websites provided information regarding the firm s status. Third party vendors were used to send s in connection with the storms to clients. Answering services provided updates to clients. 2. Weakness Noted Some advisers did not adequately plan how to contact and deploy employees during a crisis, and inconsistently maintained communications with clients and employees. Some advisers had an overall plan, but it did not identify which personnel should execute and implement the various parts of the plan. 6

15 3. Possible Future Considerations Advisers should consider contacting clients (directly and/or via an blast) before a major storm to see if they have any transactions (cash raised, funds transferred, wire instructions executed, etc.) they will need executed if an extended outage occurs. F. Regulatory and Compliance Considerations As noted in the Joint Review on BCPs for broker-dealers, advisers should regularly update their BCPs to include new regulatory requirements. In addition, advisers should consider time-sensitive regulatory requirements, since a crisis event can occur at any time. G. Review and Testing Considerations 1. General Observation and Notable Practices Advisers generally conducted tests of their BCPs prior to the storms. These tests were conducted at least annually, and some advisers specifically tested their BCPs in preparation for the storm. Some advisers developed comprehensive plans that had been tested periodically, typically annually. Some advisers tested generators frequently, such as weekly, to validate that they were working properly. 2. Weaknesses Noted Some advisers inadequately tested their BCPs relative to their advisory businesses, such as applying limited scenario-testing assumptions or not testing all critical business operations and systems. Some advisers opted not to conduct certain critical tests because vendors provided disincentives or charged for testing. For example, some advisers opted not to test their cloud-based disaster recovery solution because of the extra charge for this service. Consequently, these advisers did not secure contracts to provide back-up generators and did not know that there was insufficient capacity to handle all of their customers. 3. Possible Future Considerations Advisers should consider testing the operability of all critical systems under the BCP using various scenarios. Such testing may minimize disruptions to operations because critical weaknesses may be identified and resolved and personnel may become more fluent with using key systems while in the BCP mode. 7

16 III. CONCLUSION The NEP staff s review of certain advisers BCPs following Hurricane Sandy provided insight into the ways that advisers affected by weather-related events had implemented their plans and how effective they were in a live scenario. The Commission has previously discussed the need for advisers to have BCPs in place, 7 and the NEP encourages advisers to review their plans and consider their effectiveness in light of the observations and information in this Alert. The staff also welcomes comments and suggestions about how the Commission s examination program can better fulfill its mission to promote compliance, prevent fraud, monitor risk, and inform SEC policy. If you suspect or observe activity that may violate the federal securities laws or otherwise operates to harm investors, please notify us at This Risk Alert is intended to highlight for firms risks and issues that the staff has identified in the course of examinations regarding the business continuity plans of certain investment advisers following operational disruptions caused by weather-related events in In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks and issues, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm s business. While some of the factors discussed in this Risk Alert may reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances. 7 See note 4, supra. 8

17 Business Continuity Plan Template for Small Introducing Firms [Firm Name] Business Continuity Plan (BCP) Updated May 12, 2010 This optional template is provided to assist small introducing firms in fulfilling their need to create and maintain business continuity plans (BCPs) and emergency contact person lists under FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information). The template recognizes that many small introducing firms rely on parts of a clearing firm s or other entity s BCP for many of the mission-critical functions of the introducing firm. Nothing in this template creates any new requirements on clearing firms or other entities, or new requirements for BCPs. Note: Following this template does not guarantee compliance with or create any safe harbor with respect to FINRA rules, the federal securities laws or state laws. The obligation to develop a BCP is not a one-size-fits-all requirement, and you must tailor your plan to fit your particular firm s situation. FINRA Rule 4370(c) requires that firms relying on another entity for elements of their BCP or mission-critical systems must address that relationship in their plan. This template is written for small introducing firms that use a clearing firm, and includes sample language regarding the nature of that particular relationship only. If your firm conducts a different type of business (e.g., sells only mutual funds), you must modify the template to describe the entities you rely on and the nature of those relationships. The language contained in this template is provided as a starting point for developing your firm s plan. It is highly unlikely that the language of this template standing alone will fully fit your firm s business situation. In this regard, you must customize the language of this template to reflect your firm's activities and issues. If you have prepared a plan in a different format, you may wish to attach the appropriate sections of that plan to this template to confirm that you have addressed all of the individual elements. Critical Elements There are 10 critical elements of a BCP specified in FINRA Rule Each firm need only address the elements applicable to its business, but if you do not include a specified element in your firm s plan, your plan must document why it is not included: DB1/

18 (1) Data back-up and recovery (hard copy and electronic); (2) All mission critical systems; (3) Financial and operational assessments; (4) Alternate communications between customers and the member; (5) Alternate communications between the member and its employees; (6) Alternate physical location of employees; (7) Critical business constituent, bank, and counter-party impact; (8) Regulatory reporting; (9) Communications with regulators; and (10) How the firm will assure customers prompt access to their funds and securities in the event that the member determines that it is unable to continue its business. Keep in mind that the above-listed elements are not exhaustive; you should address other key areas for your plan to be complete and thorough, based on your firm s business and operations. TEXT EXAMPLES are provided to give you sample language that you can modify to create your firm s plan. Material in italics provides instructions, citations to relevant rules and other resources that you can use to develop your firm s plan. The FINRA BCP Web page includes important information and links to other websites with useful information. You may also consider consulting the General Accounting Office s reports on Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants, Report Nos. GAO (Feb. 2003) and GAO (Feb. 2003); the Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System by the Securities and Exchange Commission (SEC) and other federal financial institution regulators; and the business continuity information on the websites of the Securities Industry and Financial Markets Association (SIFMA), the Business Continuity Institute (BCI) and the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC). Firms relying on third-party providers to provide services in connection with their BCPs should review Notice to Members (NTM) 05-48, (July 2005). For historical guidance and background, see NTM and Regulatory Notices and I. Emergency Contact Persons Identify your firm s two emergency contact persons. Your firm must identify its emergency contact persons through the FINRA Contact System (FCS). In addition, your firm must use FCS to update the contact information promptly (but no later than 30 days following any change in the information) and annually review and update, if necessary, the information within 17 business days after the end of each calendar year. Each emergency contact person must be an associated person of the firm, and at least one DB1/

19 emergency contact person must be a member of senior management and a registered principal of the firm. If your firm designates a second emergency contact person who is not a registered principal of your firm, then that contact person must be a member of senior management who has knowledge of the firm s business operations. If your firm has only one associated person, the second emergency contact must be an individual, either registered with another firm or non-registered, who has knowledge of your firm s business operations (e.g., your firm s attorney, accountant or clearing firm contact person). TEXT EXAMPLE: Our firm s two emergency contact persons are: [name, phone number, ] and [name, phone number, - identify second person's relationship to the firm if not a registered principal of the firm]. The firm will provide FINRA with the contact information for the two emergency contact persons: (1) name; (2) title; (3) mailing address; (4) address; (5) telephone number; and (6) facsimile number through the FINRA Contact System (FCS). [Name] will promptly notify FINRA of any change in this information through FCS (but no later than 30 days following the change) and will review, and if necessary update, this information within 17 business days after the end of each calendar year. Rule: FINRA Rule 4370(f); NASD Rule II. Firm Policy State your firm s objectives for business continuity in the face of both internal and external significant business disruptions (SBDs), including your firm s obligation to grant customers access to their funds and securities in the event of a significant business disruption. This policy should be given to all employees. State who has the authority to execute the plan, where the plan is stored, and how to access the plan. TEXT EXAMPLE: Our firm s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the firm s books and records, and allowing our customers to transact business. In the event that we determine we are unable to continue our business, we will assure customers prompt access to their funds and securities. A. Significant Business Disruptions (SBDs) Our plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only our firm s ability to communicate and do business, such as a fire in our building. External SBDs prevent the operation of the securities markets or a number of firms, such as a terrorist attack, a city flood, or a wide-scale, regional disruption. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of our clearing firm. B. Approval and Execution Authority DB1/

20 [Name, title], a registered principal, is responsible for approving the plan and for conducting the required annual review. [Name, title] has the authority to execute this BCP. C. Plan Location and Access Our firm will maintain copies of its BCP plan and the annual reviews, and the changes that have been made to it for inspection. An electronic copy of our plan is located on [server name] in the [file/folder name]. Rule: FINRA Rule 4370(b), (d) and (e). III. Business Description State the types of business that your firm conducts. TEXT EXAMPLE: Our firm conducts business in equity, fixed income, and derivative securities. Our firm is an introducing firm and does not perform any type of clearing function for itself or others. Furthermore, we do not hold customer funds or securities. We accept and enter orders. All transactions are sent to our clearing firm, which [executes our orders,] compares them, allocates them, clears and settles them. Our clearing firm also maintains our customers accounts, can grant customers access to them, and delivers funds and securities. Our firm services only retail customers [OR retail and institutional customers]. We do not engage in any private placements. Our clearing firm is [name, address, phone number, address, website] and our contact person at that clearing firm is [name, phone number, ]. Our clearing firm has also given us the following alternative contact in the event it cannot be reached: [name, address, phone number, address, website] IV. Office Locations List the locations of all of your offices, registered and unregistered, and state the means of transportation that employees may use to reach that facility. State also which mission critical systems, as defined below, take place at each location. TEXT EXAMPLE: Our firm has offices located in Location #1 and Location #2. A. Office Location #1 Our Location #1 Office is located at [address]. Its main telephone number is [insert]. Our employees may travel to that office by means of [insert all that apply (e.g., foot, car, subway, train, bus, boat, plane, etc.)]. We engage in order taking and entry at this location. B. Office Location #2 DB1/

21 Our Location #2 Office is located at [address]. Its main telephone number is [insert]. Our employees may travel to that office by means of [insert all that apply e.g., foot, car, subway, train, bus, boat, plane, etc.)]. We engage in order taking and entry at this location. V. Alternative Physical Location(s) of Employees List the alternate physical location(s) your firm will use in the event an SBD affects the operation of your office locations. TEXT EXAMPLE: In the event of an SBD, we will move our staff from affected office(s) to the closest of our unaffected office location(s). If none of our other office locations is available to receive those staff, we will move them to [name of firm, (if different), address]. Its main telephone number is [phone number]. Rule: FINRA Rule 4370(c)(6). VI. Customers Access to Funds and Securities State that your firm does not maintain custody of customers funds or securities and how your firm will make them available to customers in the event of an SBD. State the entity at which such funds and securities are held and how your firm will facilitate access to them. Describe any relationship between your firm s ability to grant customer access to funds and securities and Securities Investor Protection Corporation (SIPC) regulations on the disbursement of funds and securities. TEXT EXAMPLE: Our firm does not maintain custody of customers funds or securities, which are maintained at our clearing firm, [insert name]. In the event of an internal or external SBD, if telephone service is available, our registered persons will take customer orders or instructions and contact our clearing firm on their behalf, and if our Web access is available, our firm will post on our website that customers may access their funds and securities by contacting [insert contact information]. The firm will make this information available to customers through its disclosure policy. If SIPC determines that we are unable to meet our obligations to our customers or if our liabilities exceed our assets in violation of Securities Exchange Act Rule 15c3-1, SIPC may seek to appoint a trustee to disburse our assets to customers. We will assist SIPC and the trustee by providing our books and records identifying customer accounts subject to SIPC regulation [and insert any additional procedures]. Rules: FINRA Rule 4370(a); Securities Exchange Act Rule 15c3-1; see also 15 U.S.C. 78eee. VII. Data Back-Up and Recovery (Hard Copy and Electronic) DB1/